The wolfSSL embedded SSL/TLS library supports the Renesas Trusted Secure IP Driver (TSIP) and has been tested on the Renesas RX65N platform. Using the TSIP driver, wolfSSL can offload supported cryptographic and TLS operations to the underlying Renesas hardware for increased performance.
Supported TSIP Capabilities
wolfSSL has been integrated with the following TSIP capabilities:
- TSIP driver open/close
- Random number generation, tested with SP 800-22
- SHA-1 and SHA-256 hash function support
- AES-128-CBC and AES-256-CBC support
- TLS capabilities including:
- Root CA verification
- Client and/or Server certificate verification including intermediate certificate verification
- Support for four TLS cipher suites:
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA256
The Renesas TSIP driver is outside the scope of the wolfSSL package download and needs to be obtained externally from Renesas.
Building wolfSSL with RX65N and TSIP Support
Support for Renesas RX65N and TSIP can be enabled at compile-time in wolfSSL by defining one or both of the following defines:
WOLFSSL_RENESAS_TSIP – enables Renesas TSIP support
WOLFSSL_RENESAS_RX65N – enables support for Renesas RX65N
wolfSSL TSIP Benchmarks
The following benchmarks show the performance improvement when using hardware cryptography on the Renesas RX65N through the Renesas TSIP driver.
Our tests have shown that the implementation of TSIP Accelerated Crypto increased processing speed by an average of 2334%, resulting in 92% faster processing times.
Limitations of TSIP with wolfSSL
The following limitations exist when using wolfSSL with Renesas TSIP:
- TSIP TLS capabilities are fully available only when using one of the TSIP-supported cipher suites. These cipher suites include:
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA256
- The TSIP TLS capabilities support generation of the normal TLS master secret, but do not support the TLS Extended Master Secret Extension. TSIP TLS is not available when Extended Master Secret is used.
- The TSIP TLS certificate verification capability is only available when verifying a certificate signed by “RSA 2048 PSS with SHA-256”.
- The TSIP TLS capability, common cryptography, is available on client-side only. Server-side is not currently supported by the TSIP driver.
- TSIP uses one root CA certificate bundle signature signed by RSA-2048-PSS with SHA-256 available at runtime. When using a different root CA for TSIP TLS capabilities, applications need to call wolfCrypt_Init() to reset the TSIP driver state, then inform TSIP of a new signature and key through the tsip_inform_cert_sign() and tsip_inform_user_keys() APIs.
References
TSIP (Trusted Secure IP) Module Firmware Integration Technology APPLICATION NOTE Rev. 1.06
Support
More information on using wolfSSL in combination with Renesas and wolfSSL’s support for Renesas can be found here: https://www.wolfssl.com/docs/renesas/
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.